-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathrwproc.idc
88 lines (69 loc) · 2.18 KB
/
rwproc.idc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*
A utility script to read or write to process memory from or to a file.
Usage:
runidc rwproc load notepad 10000 200 new_contents.bin
^^This will load the contents of 'new_contents.bin' into the process memory of notepad at address 0x10000 with size 200
runidc rwproc save notepad 10000 200 contents.bin
^^This will write the contents of notepad process memory at address 0x10000 with size 200 into 'contents.bin'
(c) Hex-Rays
*/
#include <idc.idc>
#include "idascript.idc"
#include "procutil.idc"
static main()
{
InitUtils();
if (ARGV.count < 6)
{
Print(("Usage: rwproc.idc load|save processname addr_in_hex sz_in_hex to_file|from_file"));
Quit(0);
}
LoadDebugger("win32", 0);
auto PARAM_ACTION = ARGV[1];
auto PARAM_PROCNAME = ARGV[2];
auto PARAM_ADDR = ARGV[3];
auto PARAM_SZ = ARGV[4];
auto PARAM_FN = ARGV[5];
// Parse operation mode
auto load;
if (PARAM_ACTION == "load")
load = 1;
else if (PARAM_ACTION == "save")
load = 0;
else
QuitMsg(-1, "Must pass either read or write; '"+PARAM_ACTION+"' passed.");
// Find process by the given name
auto procs = FindProcessByName(PARAM_PROCNAME), i;
if (procs.count == 0)
QuitMsg(-1, sprintf("No process by the name of %s was found!", PARAM_PROCNAME));
auto addr = xtol(PARAM_ADDR);
if (addr == 0)
QuitMsg(-2, "Invalid address passed!");
auto sz = xtol(PARAM_SZ);
if (addr == 0)
QuitMsg(-3, "Invalid size passed!");
if (procs.count > 1)
Print(("Found multiple processes with same name, will use the first one only!\n"));
auto fp;
if (load)
fp = fopen(PARAM_FN, "rb");
else
fp = fopen(PARAM_FN, "wb");
if (fp == 0)
QuitMsg(-4, sprintf("Failed to open %s for reading or writing!", PARAM_FN));
if (!AttachToProcess(procs[0]))
{
QuitMsg(-4, "Failed to attach!");
fclose(fp);
}
if (load)
loadfile(fp, 0, addr, sz);
else
savefile(fp, 0, addr, sz);
DetachFromProcess();
if (load)
Print(("Loaded %d byte(s) from '%s' into process '%s' at %08X", sz, PARAM_FN, PARAM_PROCNAME, addr));
else
Print(("Saved %d byte(s) to '%s' from process '%s' at %08X", sz, PARAM_FN, PARAM_PROCNAME, addr));
Quit(0);
}